II. Feb. 



2008 16:29 6.E. EHRLICH (1995) LTD. 



No. 9828 P. 



In the claims: 

I. (Currently Amended) Computer device- apparatus configured to discover roles 
from structure existing amongst users to whom r e sources have been wsiffiim o^w^ 
recognition app a ratus for automatically discovering eroupo of resource* that oro assigned 
t fl common to groups of users, tho users, and resources, being input in icape c trvo 
partitions with current assignments , the apparatus comprising: 

a processor, 

an input for receiving a set of nodes of users, and 0 f resources, each user of said 
set comprising a node with an assignment of resources aa nf nn1r . m A 

resources, said arrangement comprising at loast two of ouid portition a the sets beine 



uSitioned, one partition- pjrt comprising said nodes -users and one partitiea-Dajj 
comprising said resources, andprodotcrmined said assignments being incorporated as 
ljnks. r e lationghips between respective s aid nod™ Hsgrs_ fl nd said-resources over said 
partitioning , and 

8 pattern reco gnition and node Kroupin e discoverv unit associated with said input 
and operable via said processor, configured for automatically finding- searching for 
patterns within said prodotcrminod r e lationchips links between said fledes -users and said 
resources, s a i d finding comprioing using pattern recognition on said nodes, said resources 
and said prodotcrminod relationships, and 

a grouping unit, associated wi th said discovery unit, configured hv onlrt r-ttnrr 
recognition to use said discovered patterns to form a t least one group from said user 
nodes -OL said resource nodes using said automatical l y discovered p atterns, such that 
fledes-users or resources having common relationship pattem g ajj of a subset of at [ggsj 
two links to common resources or users are placed into a same one of said at least one 
8 r0u P» 9 aid common rolationahip patterns comprising mutually shared relationships with 
a common s e t of said r es ource s^-, and 

an output unit configured_for outputting said group of nodes -users or resources 
sharing said relationship to said common set of rosourcc s as a role . 

2. (Currently Amended) The apparatus of claim 1, wherein- 
us e rsofa network, and said relationships are access permissions. 
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3. (Currently Amended) The apparatus of claim 1, wherein said nodes am 
mero of a notwoik, said resource ore resources of said network and said relationships are 
usage levels of respective resources by respective users. 

4. (Original) The apparatus of claim 2, wherein said relationships further 
comprise user access permission levels for respective resources. 

5. (Original) The apparatus of claim 2, wherein said at least one group is 
definitive of a user role on said network. 

6. (Currently Amended) The apparatus of claim 1 , wherein said node-, in said 
firot partition uiouser nodes comprise entities having attributes, and said relationships 
represent a respective user possessing a respective attribute. 

7. (Original) The apparatus of claim 2, wherein said pattern recognition unit 
is associated with a search engine operable to use a search tree to begin with a single 
resource and its associated users, and iteratively to add resources and remove users not 
having a predefined relationship with said iteratively added resources, to meet a resource 
number, or a user number constraint. 

8. (Original) The apparatus of claim 7, wherein said search engine is 
operable to use a homogeneity measure to determine whether to consider a candidate 
grouping in said search. 

9. (Original) The apparatus of claim 7, wherein said search engine is 
operable to use a homogeneity measure to determine in which order to consider a 
candidate grouping in said search. 
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10. (Original) The apparatus of claim 7, wherein said search engine is 
operable within said iterative stages to add further resources common to a current set of 



users. 



11. (Original) The apparatus of claim 10, wherein said search engine is 
operable to compute a set of all users related to a current set of resources. 

12. (Original) The apparatus of claim 11, wherein said search engine is 
operable to consider for expansion all resources outside said current set of resources that 
have at least one relationship connection with a current set of users. 

13. (Original) The apparatus of claim 8, wherein the set of users associated 
with each of said nodes is associated with attributes, and wherein said homogeneity 
measure is the percentage of occurrence of a given attribute, multiplied by the log value 
thereof, summed over all such users in said result. 

14. (Original) The apparatus of claim 8, wherein the set of resources 
associated with each of said nodes is associated with attributes, and wherein said 
homogeneity measure is the percentage of occurrence of a given attribute, multiplied by 
the log value thereof, summed over all such resources in said result. 

15. (Original) The apparatus of claim 8, wherein said homogeneity measure is 
the percentage of occurrence of a given resource relationship for any of the users 
associated with at least one of the resources of said node, multiplied by the log value 
thereof, summed over all users of said node in said result. 

16. (Original) The apparatus of claim 8, wherein said homogeneity measure is 
the percentage of occurrence of a given user relationship for any of the resources 
associated with at least one of the users of said node, multiplied by the log value thereof, 
summed over all resources of said node in said result. 
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17. (Original) The apparatus of claim 1, wherein said pattern recognition unit 
is operable to use said pattern recognition within an iterative tree searching process. 

18. (Currently Amended) The apparatus of claim 1, wherein said pattern 
recognition unit is operable to insert said groupings as an intermediate partkwn-^et 
amongst said nodes r t hereby to rcdefino said relationship j thiough oaid groupings . 

19. (Currently Amended) The apparatus of claim 1, wherein said nodes-users 
and said resources are arranged into three partWeflsjets, an intermediate one of said 
pa«itieBs-sets_comprising predetermined relationship dependent groupings of at least 
some of the nedes-usejrein a first of said partitwnssets, said pattern recognition unit being 
operable to use said pattern recognition to add new groups to said intermediate partition 
set- 

20. (Currently Amended) The apparatus of claim 1, wherein said input is 
associated with a graphical expositor, configured to present said input in a graph, said 
graphical expositor being operable to form -graphically represent ™\ rt no des and said 
resources into resource n o des within said paft&enssets. 

21. (Original) The apparatus of claim 20, wherein the graphical expositor is 
user interactive to manually modify the groupings discovered by the pattern recognition 
engine. 

22. (Currently Amended) The apparatus of claim 20, wherein said graphical 
expositor is further operable to partition the graph into sub-graphs, each of the sub-graphs 
itself being a partitioned graph having at least two partitiefts_set§, the sub-graphs being 
limited to a subset of the Bedes-users_in one of the partitwHssets, and further comprising 
all the nodes -Eesources in the other part&en-seLthat are linked theeete to users of said 
subset, and wherein said pattern recognition unit is further operable to perform groupings 
on each of the subgraphs, and then to merge the results into a full graph. 
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23. (Currently Amended) The apparatus of claim 20, wherein said graphical 
expositor is further operable to partition the graph into sub-graphs, each of the sub-graphs 
itself being a bi-partite graph limited to a subset of the nodes- resources in the second 
partWenset, and further comprising all the nodes-users,in the first paftitieH-set_that are 
linked thereto, and wherein said pattern recognition unit is further operable to perform 
groupings on each of the subgraphs, and then to merge the results into a full graph. 

24. (Original) The apparatus of claim 20, wherein said graphical expositor, is 
user interactive to allow an operator to review user group associations and user resource 
relations, and to allow said operator to manipulate user access rights. 

25. (Currently Amended) Patt e rn reoognition Role discovery method for 
electronically grouping nodes according to exMing_relationships with resources, the 
method comprising: 

receiving an arrangement of nodes and resources, said resources being partitioned 
from said nodes and with predetermined relationships between ones of said resources and 
said- corresponding nodes, and 

automatically findjae-discoveriiig gxisgag re\*ti« n «w T patterns between said 
arrangement of nodes and resources across said partitioning-wiag pattern recognition on 
sai d node s , said rcaourc e g and cajd relationships , 

using said foufld-djscjDvered.patterns, forming at least one groupin g grouping said 
arrangement of erodes, wherein said grouped nodes being formed into said grouping 
share relationships with at [east two common onos of a predetermined number of said 
resources, and 

outputting said grouping of nodes having common patterns of at least two 
ejusdn^relationshipsjsaioje. 

26. (Currently Amended) A reverse engineering device for discovering 
existing .structure in a partitioned arrangement of nodes and resources , wherein nodes 
have relationships with variou s of said resources, the device comprising: 

a processor, 
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an input configured for receiving an -said partitioned; arrangement 0 f nodes and 
resources, said arrangement comprising at least two partftwnssgte, said partitions being 
of said nodes and said resources respectively, and with predetermined relationships 
defined between said nodes and said resources across said partitions sets, and 

a pattern rooognition djscovery, unit configured to work with said processor, for 
automatically finding-discoverinR relationship patterns within said existing relationshi ps 
using pattern recognition on said nodes, said resources and said predetermined 
relationships, 

a node-grouping unit associated with said pattern recognition unit and configured 
to operate with said processor to use said relationship patterns to form groups from said 
nodes, such that those nodes that share similar patterns-subsets o f at least two 
relationships with said resources are placed in a group together, and 

an output configured to output said-respective weup- grnn^nf nodes having 
said similar pattern of rclationship s subsets of at least rw 0 relationship s as rpW 

27. (Currently Amended) Computer device comprising: 
a processor 

a first series of user definitions, each user in said definitions defined as a user 

node; 

a second series of resource definitions, each resource in said definitions defined as 
a resource node; 

access data indicating access of users to respective resources; and 
a pattern recognition unit operable with said processor for automatically 
dtsoovering -recoRnizing jre-existing patterns in said access data, said patterns indicative 
of a way of grouping said nodes so as to discov e r groups of nodes having mmm™ 
subsets of at least two respurcesffjoup of rosouroos that are a ssi gned in common to a 
group of users, and 

a group definition unit operable with said processor and said pattern recognition 
unit fei ^configured to nti n g «ich discovorod pro ox i sung pattern to o utput groups so 
discovered a? roles. n gro u p of mors having acceafl to common resources. 
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28. (New) The apparatus of claim 1, wherein said role comprises said users or 
said resources sharing only said subset. 

29. (New) Pattern recognition apparatus for grouping nodes according to 
relationships with other nodes, the apparatus comprising: 

an input for receiving nodes partitioned into a first set and a second set, and with 
relationships between nodes in respective first and second sets defined by links across 
said partition, and 

a pattern recognition processor associated with said input, for using pattern 
recognition on said links to find relationship patterns within said links, and from said 
patterns to form at least one group from nodes of said first set, wherein said nodes being 
formed into said group share relationships with at least two nodes in said second set. 

30. (New) Group discovery method for automatically discovering groups 
according to an initially unknown structure in existing electronically held data, said 
electronically held data comprising nodes partitioned into first and second data sets, 
wherein links exist within said data between nodes in said first data set and nodes in said 
second data set, the initially unknown structure being within said links, the method 
comprising: 

electronically searching said data, and 

grouping nodes in said first set according to respective links such that all nodes in 
said first set having links to at least two commonly held nodes in said second set are 
assigned to a same group, thereby discovering groups in said data according to said 
initially unknown structure. 

31. (New) A method of automatically grouping users having links or attributes 
into one or more groups based on said links or attributes, the method comprising: 

providing a group for users sharing all of a subset of at least two of said links or 
attributes, and 

outputting said provided groups. 
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32. (New) The apparatus of claim 1, wherein said discovery unit is configured to 
carry out said searching by one member of the group consisting of a clustering algorithm, 
an incremental search and a search tree. 

33. (New) The apparatus of claim 1, wherein said outputting said group comprises 
outputting a characteristic of said group. 

34. (New) A search method for automatically searching initially unknown 
structures in existing electronically held data, said electronically held data comprising 
nodes partitioned into first and second data sets, wherein links exist within said data 
between nodes in said first data set and nodes in said second data set, the initially 
unknown structure being within said links, the method comprising: 

electronically searching said data according to said links, and 
grouping nodes in said first set according to respective links such that all nodes in 
said first set having links to at least two commonly held nodes in said second set are 
assigned to a same group, thereby discovering groups in said data according to said 
initially unknown structure. 

35. (New) Search apparatus for automatically searching initially unknown 

structures in existing electronically held data, said electronically held data comprising 

nodes partitioned into first and second data sets, wherein links exist within said data 

between nodes in said first data set and nodes in said second data set, the initially 

unknown structure being within said links, the apparatus comprising: 

a search unit, configured for electronically searching said data according to said 
links, and 

a structuring unit, associated with said search unit, configured for grouping nodes 
in said first set according to respective links such that all nodes in said first set having 
links to at least two commonly held nodes in said second set are assigned to a same 
group, thereby discovering groups in said data according to said initially unknown 
structure. 



